2 * Copyright (c) 2019 Alexey Dobriyan <adobriyan@gmail.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Fork and exec tiny 1 page executable which precisely controls its VM.
18 * Test /proc/$PID/maps
19 * Test /proc/$PID/smaps
20 * Test /proc/$PID/smaps_rollup
21 * Test /proc/$PID/statm
23 * FIXME require CONFIG_TMPFS which can be disabled
24 * FIXME test other values from "smaps"
25 * FIXME support other archs
36 #include <sys/mount.h>
37 #include <sys/types.h>
41 #include <sys/syscall.h>
43 #include <linux/kdev_t.h>
45 static inline long sys_execveat(int dirfd, const char *pathname, char **argv, char **envp, int flags)
47 return syscall(SYS_execveat, dirfd, pathname, argv, envp, flags);
50 static void make_private_tmp(void)
52 if (unshare(CLONE_NEWNS) == -1) {
53 if (errno == ENOSYS || errno == EPERM) {
58 if (mount(NULL, "/", NULL, MS_PRIVATE|MS_REC, NULL) == -1) {
61 if (mount(NULL, "/tmp", "tmpfs", 0, NULL) == -1) {
66 static pid_t pid = -1;
103 #define PAGE_SIZE 4096
104 #define VADDR (1UL << 32)
105 #define MAPS_OFFSET 73
107 #define syscall 0x0f, 0x05
110 (x)&0xff, ((x)>>8)&0xff, ((x)>>16)&0xff, ((x)>>24)&0xff, \
111 ((x)>>32)&0xff, ((x)>>40)&0xff, ((x)>>48)&0xff, ((x)>>56)&0xff
115 (x)&0xff, ((x)>>8)&0xff, ((x)>>16)&0xff, ((x)>>24)&0xff, \
116 ((x)>>32)&0xff, ((x)>>40)&0xff, ((x)>>48)&0xff, ((x)>>56)&0xff
119 0xb8, (x)&0xff, ((x)>>8)&0xff, ((x)>>16)&0xff, ((x)>>24)&0xff
121 static const uint8_t payload[] = {
122 /* Casually unmap stack, vDSO and everything else. */
124 mov_rdi(VADDR + 4096),
125 mov_rsi((1ULL << 47) - 4096 - VADDR - 4096),
130 /* write(0, &c, 1); */
131 0x31, 0xff, /* xor edi, edi */
132 0x48, 0x8d, 0x35, 0x00, 0x00, 0x00, 0x00, /* lea rsi, [rip] */
133 0xba, 0x01, 0x00, 0x00, 0x00, /* mov edx, 1 */
141 0xeb, 0xf7, /* jmp 1b */
144 static int make_exe(const uint8_t *payload, size_t len)
147 struct elf64_phdr ph;
149 struct iovec iov[3] = {
150 {&h, sizeof(struct elf64_hdr)},
151 {&ph, sizeof(struct elf64_phdr)},
152 {(void *)payload, len},
157 memset(&h, 0, sizeof(h));
169 h.e_entry = VADDR + sizeof(struct elf64_hdr) + sizeof(struct elf64_phdr);
170 h.e_phoff = sizeof(struct elf64_hdr);
173 h.e_ehsize = sizeof(struct elf64_hdr);
174 h.e_phentsize = sizeof(struct elf64_phdr);
180 memset(&ph, 0, sizeof(ph));
182 ph.p_flags = (1<<2)|1;
186 ph.p_filesz = sizeof(struct elf64_hdr) + sizeof(struct elf64_phdr) + sizeof(payload);
187 ph.p_memsz = sizeof(struct elf64_hdr) + sizeof(struct elf64_phdr) + sizeof(payload);
190 fd = openat(AT_FDCWD, "/tmp", O_WRONLY|O_EXCL|O_TMPFILE, 0700);
195 if (writev(fd, iov, 3) != sizeof(struct elf64_hdr) + sizeof(struct elf64_phdr) + len) {
199 /* Avoid ETXTBSY on exec. */
200 snprintf(buf, sizeof(buf), "/proc/self/fd/%u", fd);
201 fd1 = open(buf, O_RDONLY|O_CLOEXEC);
218 /* Reserve fd 0 for 1-byte pipe ping from child. */
220 if (open("/", O_RDONLY|O_DIRECTORY|O_PATH) != 0) {
224 exec_fd = make_exe(payload, sizeof(payload));
226 if (pipe(pipefd) == -1) {
229 if (dup2(pipefd[1], 0) != 0) {
238 sys_execveat(exec_fd, "", NULL, NULL, AT_EMPTY_PATH);
243 if (read(pipefd[0], &_, 1) != 1) {
248 if (fstat(exec_fd, &st) == -1) {
252 /* Generate "head -n1 /proc/$PID/maps" */
254 memset(buf0, ' ', sizeof(buf0));
255 int len = snprintf(buf0, sizeof(buf0),
256 "%08lx-%08lx r-xp 00000000 %02lx:%02lx %llu",
257 VADDR, VADDR + PAGE_SIZE,
258 MAJOR(st.st_dev), MINOR(st.st_dev),
259 (unsigned long long)st.st_ino);
261 snprintf(buf0 + MAPS_OFFSET, sizeof(buf0) - MAPS_OFFSET,
262 "/tmp/#%llu (deleted)\n", (unsigned long long)st.st_ino);
265 /* Test /proc/$PID/maps */
271 snprintf(buf, sizeof(buf), "/proc/%u/maps", pid);
272 fd = open(buf, O_RDONLY);
276 rv = read(fd, buf, sizeof(buf));
277 assert(rv == strlen(buf0));
278 assert(memcmp(buf, buf0, strlen(buf0)) == 0);
281 /* Test /proc/$PID/smaps */
287 snprintf(buf, sizeof(buf), "/proc/%u/smaps", pid);
288 fd = open(buf, O_RDONLY);
292 rv = read(fd, buf, sizeof(buf));
293 assert(0 <= rv && rv <= sizeof(buf));
295 assert(rv >= strlen(buf0));
296 assert(memcmp(buf, buf0, strlen(buf0)) == 0);
298 #define RSS1 "Rss: 4 kB\n"
299 #define RSS2 "Rss: 0 kB\n"
300 #define PSS1 "Pss: 4 kB\n"
301 #define PSS2 "Pss: 0 kB\n"
302 assert(memmem(buf, rv, RSS1, strlen(RSS1)) ||
303 memmem(buf, rv, RSS2, strlen(RSS2)));
304 assert(memmem(buf, rv, PSS1, strlen(PSS1)) ||
305 memmem(buf, rv, PSS2, strlen(PSS2)));
307 static const char *S[] = {
309 "KernelPageSize: 4 kB\n",
310 "MMUPageSize: 4 kB\n",
312 "AnonHugePages: 0 kB\n",
313 "Shared_Hugetlb: 0 kB\n",
314 "Private_Hugetlb: 0 kB\n",
319 for (i = 0; i < sizeof(S)/sizeof(S[0]); i++) {
320 assert(memmem(buf, rv, S[i], strlen(S[i])));
324 /* Test /proc/$PID/smaps_rollup */
327 memset(bufr, ' ', sizeof(bufr));
328 len = snprintf(bufr, sizeof(bufr),
329 "%08lx-%08lx ---p 00000000 00:00 0",
330 VADDR, VADDR + PAGE_SIZE);
332 snprintf(bufr + MAPS_OFFSET, sizeof(bufr) - MAPS_OFFSET,
339 snprintf(buf, sizeof(buf), "/proc/%u/smaps_rollup", pid);
340 fd = open(buf, O_RDONLY);
344 rv = read(fd, buf, sizeof(buf));
345 assert(0 <= rv && rv <= sizeof(buf));
347 assert(rv >= strlen(bufr));
348 assert(memcmp(buf, bufr, strlen(bufr)) == 0);
350 assert(memmem(buf, rv, RSS1, strlen(RSS1)) ||
351 memmem(buf, rv, RSS2, strlen(RSS2)));
352 assert(memmem(buf, rv, PSS1, strlen(PSS1)) ||
353 memmem(buf, rv, PSS2, strlen(PSS2)));
355 static const char *S[] = {
357 "AnonHugePages: 0 kB\n",
358 "Shared_Hugetlb: 0 kB\n",
359 "Private_Hugetlb: 0 kB\n",
364 for (i = 0; i < sizeof(S)/sizeof(S[0]); i++) {
365 assert(memmem(buf, rv, S[i], strlen(S[i])));
369 /* Test /proc/$PID/statm */
375 snprintf(buf, sizeof(buf), "/proc/%u/statm", pid);
376 fd = open(buf, O_RDONLY);
380 rv = read(fd, buf, sizeof(buf));
383 assert(buf[0] == '1'); /* ->total_vm */
384 assert(buf[1] == ' ');
385 assert(buf[2] == '0' || buf[2] == '1'); /* rss */
386 assert(buf[3] == ' ');
387 assert(buf[4] == '0' || buf[2] == '1'); /* file rss */
388 assert(buf[5] == ' ');
389 assert(buf[6] == '1'); /* ELF executable segments */
390 assert(buf[7] == ' ');
391 assert(buf[8] == '0');
392 assert(buf[9] == ' ');
393 assert(buf[10] == '0'); /* ->data_vm + ->stack_vm */
394 assert(buf[11] == ' ');
395 assert(buf[12] == '0');
396 assert(buf[13] == '\n');